SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins
Symptoms
SSH sessions and automated CRON jobs that log in to
your Oracle database through SQLPLUS and RMAN with /as sysdba
show
as failed logins.
Causes
Oracle responds to these logins with the following error on such attempts, even if it is not shown on the screen.
ORA-01-17: invalid username/password; logon denied.
This
error triggers the failed login alert. For example, if the database
user WRONGLOGIN is a member of the DBA group, and logs as sqlplus
WRONGLOGIN as sysdba
, the database authentication of WRONGLOGIN
fails. This failure causes the ORA-01-17 error alert to trigger and
is reflected in the Guardium log. However, users with sysdba privileges
can connect to the database without database authentication so the
session is allowed to continue. Both events are captured and recorded.
Environment
Guardium collectors are affected.
Resolving the problem
You can amend the policy to include an allow action before the rule that alerts about failed logins. Create an exception rule in the policy with the following conditions.
Client IP=<Server IP>
Source program = SQLPLUS
DB user in trusted group
OS user in group of Oracle DBAs
Net protocol = BEQUEATH (if local BEQUEATH, not TCP)
This rule skips the failed login alerts that are caused by the ORA-01-17 error but are still logged. To filter the failed login alerts out of the reports, add these conditions to the end of the conditions list:
AND
(
client IP<>server IP OR
src prg <> SQLPLUS OR
db user NOT IN group of trusted OR
os user NOT IN group of oracle DBAs OR
net protocol <>BEQUEATH (if this is local BEQUEATH, not TCP )
)